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In the Claims 

Kindly amend claims 1-4, 8 and 17 as follows: 



1 . (Currently Amended) In a firewall device having a plurality of communication 
interfaces, a packet filtering component coupled to each of the interfaces, a switching 
process component coupled to each of the interfaces, and a firewall services component 
coupled to the switching process component , a firewall system comprising: 

a) a session manager operating in said firewall services component, said session 
manager structured and configured to instantiate a plurality of sessions in said 
firewall services component and a plurality of mini-sessions in said switching 
process component, each of said plurality of sessions having header and 
payload information related to a corresponding data transfer within the 
firewall device, each of said plurality of mini-sessions corresponding to a 
session and including header information related the corresponding data 
transfer within the firewall device , wherein said plurality of mini-sessions 
comprises instantiated software modules residing in the same address space as 
said switching process component : and 

b) a firewall module operating in said switching process coupled to said plurality 
of mini-sessions, said firewall module configured to intercept data packets 
received into the interfaces, said firewall module further configured to track 
session context of said data packets. 

2. (Currently Amended) The firewall system of claim 1, wherein said session 
manager is further structured and configured to manage said plurality of sessions and said 
plurality of mini-sessions. 

3. (Currently Amended) The firewall system of claim 1, wherein said session 
manager is further structured and configured to delete said plurality of sessions and said 
plurality of mini-sessions. 
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4. (Currently Amended) The firewall system of claim 1, wherein said firewall 
module is further configured to intercept data packets before reception by said packet 
filtering component, said firewall module further configured to set a "pass" flag in data 
packets according matching header information in intercepted data packets and said 
header information in said plurality of m ini-sessions. 

5. (Original) The firewall system of claim 4, wherein said packet filtering component 
is configured to bypass "Access Control List" authorization of data packets having a 
"pass" flag. 

6. (Original) The firewall system of claim 1, wherein said firewall module is further 
configured to intercept data packets before reception by said packet filtering component, 
said firewall module further configured to set a "do not divert" flag in data packets when 
packet inspection of said intercepted data packets does not require application-level 
inspection. 

7. (Original) The firewall system of claim 6, wherein said firewall module is 
configured to bypass authorization of data packets having a "do not divert" flag with said 
firewall services component. 

8. (Currently Amended) In a firewall device having a plurality of communication 
interfaces, a packet filtering component coupled to each of the interfaces, a switching 
process component coupled to each of the interfaces, and a firewall services component 
coupled to the switching process component , a method for optimizing firewall processing 
comprising: 

a) providing a session manager in the firewall services component; 

b) providing a firewall module in the switching process component; 
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c) instantiating a session, by said session manager, for data transfers within the 
firewall device, said sessions having header and payload information related to 
data transfers within the firewall device; and 

d) instantiating a mini-session, by said session manager, corresponding to said 
instantiated session, said mini-session having header information related to 
data transfers within the firewall device , wherein said mini-session comprises 
instantiated software modules residing in the same address space as said 
switching process component . 



9. (Original) The method of claim 8, further comprising: 

a) intercepting data packets having a header and a payload component, by said 
firewall module, before reception by the packet filtering component; and 

b) setting a "pass" flag in the intercepted data packets when said header 
component is the intercepted data packets matches said header information in 
said mini-session. 



10. (Original) The method of claim 8, further comprising: 

a) checking data packets for a "pass" flag, by said packet filtering component; 
and 

b) bypassing "access control list" check, if a "pass" flag is found in said checked 
data packets. 



1 1 . (Original) The method of claim 8, further comprising: 

a) intercepting data packets having a header and a payload component, by said 
firewall module, before reception by the packet filtering component; and 

b) setting a "do not divert" flag in the intercepted data packets when packet 
inspection does not require application-level inspection. 
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12. (Original) The method of claim 8, further comprising: 

a) checking data packets for a "do not divert" flag, by said firewall module; and 

b) bypassing "access control list" check, if a "do not divert" flag is found in said 
checked data packets. 

13. (Original) The method of claim 8, further comprising bypassing authorization with 
the firewall services component, by the firewall module, for data packets header 
information matching header information in said mini-sessions. 

14. (Original) The method of claim 8, further comprising deleting said session and 
associated mini-session when data transfer associated with said sessions and mini-session 
is completed. 

15. (Original) The method of claim 8, further comprising deleting said session and 
associated mini-session when data transfer associated with said sessions and mini-session 
is idle past a predetermined timeout period. 

16. (Original) The method of claim 8, further comprising updating context of said 
mini-session, by said firewall module, without sending packets to said firewall services 
component. 

17. (Currently Amended) A program storage device readable by a machine, tangibly 
embodying a program of instructions executable by the machine to perform a method for 
optimizing firewall processing in a firewall device having a plurality of communication 
interfaces, a packet filtering component coupled to each of the interfaces, a switching 
process component coupled to each of the interfaces, and a firewall services component 
coupled to the switching process component , said method comprising: 

a) providing a session manager in the firewall services component; 
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b) providing a firewall module in the switching component; 

c) instantiating a session, by said session manager, for data transfers within the 
firewall device, said sessions having header and payload information related to 
data transfers within the firewall device; and 

d) instantiating a mini-session, by said session manager, corresponding to said 
instantiated session, said mini-session having header information related to 
data transfers within the firewall device , wherein said mini-session comprises 
instantiated software modules residing in the same address space as said 
switching process component . 

18. (Original) The program storage device of claim 17, said method further 
comprising: 

a) intercepting data packets having a header and a payload component, by said 
firewall module, before reception by the packet filtering component; and 

b) setting a "pass" flag in the intercepted data packets when said header 



19. (Original) The program storage device of claim 17, said method further 
comprising: 

a) checking data packets for a "pass" flag, by said packet filtering component; 
and 

b) bypassing "access control list" check, if a "pass" flag is found in said checked 
data packets. 

20. (Original) The program storage device of claim 17, said method further 
comprising: 

a) intercepting data packets having a header and a payload component, by said 
firewall module, before reception by the packet filtering component; and 



component is the intercepted data packets matches said header information in 



said mini-session. 
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b) setting a "do not divert" flag in the intercepted data packets when said 
intercepted data packets packet inspection does not require application-level 
inspection. 

21. (Original) The program storage device of claim 17, said method further 
comprising: 

a) checking data packets for a "do not divert" flag, by said firewall module; and 

b) bypassing "access control list" check, if a "do not divert" flag is found in said 
checked data packets. 

22. (Original) The program storage device of claim 17, said method further 
1^ comprising bypassing authorization with the firewall services component, by the firewall 

module, for data packets header information matching header information in said mini- 
sessions. 



23. (Original) The program storage device of claim 17, said method further 
comprising deleting said session and associated mini-session when data transfer 
associated with said sessions and mini-session is completed. 

24. (Original) The program storage device of claim 17, said method further 
comprising said session and associated mini-session when data transfer associated with 
said sessions and mini-session is idle past a predetermined timeout period. 

25. (Original) The program storage device of claim 17, said method further 
comprising updating context of said mini-session, by said firewall module, without 
sending packets to said firewall services component. 
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